Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Audio HD Driver' = '%TEMP%\win.exe'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\win.exe
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Modifies file system
Creates the following files
- %TEMP%\serv.exe
- %TEMP%\tgp.jpg
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\f8b62a7e0898a45bb79b4b5eca503faf_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\72a9caa2c7b732d09aefcac74c853c14_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\ba7d4720fdd954e62596b8f0f91dea18_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\99fe3b9c8ce3aec5d527e94a38e7c083_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %TEMP%\win.exe
Sets the 'hidden' attribute to the following files
- %TEMP%\win.exe
- %APPDATA%\microsoft\windows\start menu\programs\startup\win.exe
Network activity
TCP
HTTP GET requests
- http://ho###age.cz.cc/cinterval.txt
HTTP POST requests
- http://ho###age.cz.cc/connect.php
UDP
- DNS ASK ho###age.cz.cc
- DNS ASK 16##86.com
Miscellaneous
Creates and executes the following
- '%TEMP%\serv.exe'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' Advfirewall set Currentprofile State off
